top of page
  • CCS

Internal Control Components: Risk Assessment

Updated: Dec 30, 2022


Risk assessment is the second of the five internal control elements.


An effective risk assessment process implemented and maintained by management would provide important information needed to determine what business/fraud risks should be managed so that appropriate actions can be taken.


风险评估是五个内部控制要素中的第二个。


由管理层实施和维护的有效风险评估程序将提供所需的重要信息,以确定应管理哪些业务/欺诈风险,从而采取适当行动。

Management may initiate plans or programs or implement policies and procedures to address specific risks.


Or, it may decide to accept a risk because of cost or other considerations.


If the entity’s risk assessment process is appropriate to the circumstances, it will assist the auditor in identifying risks of material misstatement.


管理层可以启动计划或方案,或实施政策和程序来应对具体的风险。或者,它可能因为成本或其他考虑而决定接受某种风险。


如果该实体的风险评估程序适合有关情况,它将有助于审计师识别重大错报的风险。

A risk assessment process would normally address such matters as:

  • Changes in the operating environment;

  • New senior personnel;

  • New or revamped information systems;

  • Rapid growth;

  • New technology;

  • New business models, products, or activities;

  • Corporate restructurings (including divestitures and acquisitions);

  • Expanded foreign operations; and

  • New accounting pronouncements.

一个风险评估过程通常会涉及以下事项:-

  • 经营环境的变化;

  • 新的高级人员;

  • 新的或改造过的信息系统;

  • 迅速增长

  • 快速增长; - 新技术;

  • 新的商业模式、产品或活动;

  • 公司重组(包括资产剥离和收购);

  • 扩大国外业务;以及

  • 新的会计公告。

In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss with management how business risks are identified and how they are addressed.


Matters the auditor should consider are how management:

  • Identifies risks relevant to financial reporting;

  • Estimates the significance of the risks;

  • Assesses the likelihood of their occurrence; and

  • Decides upon actions to manage them.


在规模较小的实体中,不可能存在正式的风险评估程序,审计师将与管理层讨论如何识别商业风险以及如何处理这些风险。


审计师应考虑的事项是管理层如何:-

  • 识别与财务报告相关的风险;

  • 估算风险的重要性;

  • 评估其发生的可能性;以及

  • 决定管理这些风险的行动.

The auditor is also required to evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances or determine whether it represents a significant deficiency in internal control.


If the auditor identifies risks of material misstatement that management failed to identify, he/she should consider:

  • Why did management’s processes fail?

  • Are the processes appropriate to the circumstances?

审计师还需要评估没有记录在案的风险评估程序在当时的情况下是否合适,或确定它是否代表内部控制的重大缺陷。


如果审计师发现了管理层未能识别的重大错报风险,他/她应该考虑。

  • 为什么管理层的程序会失败?

  • 这些程序是否适合当时的情况?


If a significant deficiency exists in the entity’s risk assessment process (or there is no process), it would be communicated to management and those charged with governance.


如果该实体的风险评估程序存在重大缺陷(或没有程序),将向管理层和负责治理的人通报


Conditions and Events That May Indicate Risks of Material Misstatement

Appendix 2 of ISA 315 (Revised) contains a useful list of possible conditions and events that may indicate the existence of risks of material misstatement as below:-

The examples provided cover a broad range of conditions and events; however, not all conditions and events are relevant to every audit engagement, and the list of examples is not necessarily complete. 
  • Operations in economically unstable regions include countries with significant currency devaluation or highly inflationary economies.

  • Operations exposed to volatile markets, for example, futures trading.

  • Operations that are subject to a high degree of complex regulation.

  • Going concerned and liquidity issues, including loss of significant customers.

  • Constraints on the availability of capital and credit.

  • Changes in the industry in which the entity operates.

  • Changes in the supply chain.

  • Developing or offering new products or services or moving into new lines of business.

  • Expanding into new locations.

  • Changes in the entity, such as large acquisitions, reorganisations, or other unusual events.

  • Entities or business segments likely to be sold.

  • The existence of complex alliances and joint ventures.

  • Use off-balance sheet finance, special-purpose entities, and other complex financing arrangements.

  • Significant transactions with related parties.

  • Lack of personnel with appropriate accounting and financial reporting skills.

  • Changes in key personnel, including the departure of key executives.

  • Deficiencies in internal control, especially those not addressed by management.

  • Inconsistencies between the entity’s IT strategy and its business strategies.

  • Changes in the IT environment.

  • Installation of significant new IT systems related to financial reporting.

  • Inquiries into the entity’s operations or financial results by regulatory or government bodies.

  • Past misstatements, history of errors or significant adjustments at period end.

  • A significant amount of non-routine or non-systematic transactions, including intercompany transactions and large revenue transactions at period end.

  • Transactions that are recorded based on management’s intent, for example, debt refinancing, selling assets, and classification of marketable securities.

  • Application of new accounting pronouncements.

  • Accounting measurements involve complex processes.

  • Events or transactions that involve significant measurement uncertainty, including accounting estimates.

  • Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.


可能表明存在重大错报风险的条件和事件

国际审计准则315(修订版)的附录2包含一个有用的清单,列出了可能表明存在重大错报风险的条件和事件。

所提供的例子涵盖了广泛的条件和事件;然而,并非所有的条件和事件都与每项审计业务相关,而且例子的清单也不一定完整。
  • 在经济不稳定地区的业务包括货币大幅贬值或经济高度膨胀的国家。

  • 暴露于动荡市场的业务,例如期货交易。

  • 受高度复杂监管的业务。

  • 持续经营和流动资金问题,包括失去重要客户。

  • 对资本和信贷供应的限制。

  • 实体经营所在行业的变化。

  • 供应链的变化。

  • 开发或提供新产品或服务,或进入新的业务领域。

  • 扩展到新的地点。

  • 实体的变化,如大型收购、重组或其他异常事件。